Krzysztof A. Adamski wrote:
Since apache is confined in default SELinux policy on
CentOS/Fedora/RHEL (and also in all SELinux enabled distros using
reference policy). This means that apache process can't connect to
funcwebd port (51236) unless we use one of the following:
1. Set httpd_can_network_connect
# setsebool -p httpd_can_network_connect = 1
This basically means that httpd process can connect to port he
wants. This obviously gives httpd much more power than it needs.
2. Use semanage to mark 51236 port as http_port_t:
# semanage port -a -t http_port_t -p tcp 51236
This basically means that 51236 is one of the apache's own ports so
he can connect to it without any problems.
3. Ship our own loadable SELinux policy:
module funcweb 0.1;
require {
type httpd_t;
type port_t;
attribute port_type;
class tcp_socket name_connect;
}
type funcweb_port_t, port_type;
allow httpd_t funcweb_port_t:tcp_socket name_connect;
Save above as funcweb.te, compile and load this module:
# checkmodule -M -m -o funcweb.mod funcweb.te
# semodule_package -o funcweb.pp -m funcweb.mod
# semodule -i funcweb.pp
Now we have to specify which port(s) should be marked as
funcweb_port_t:
# semanage port -a -t funcweb_port_t -p tcp 51236
I've only done some limited testing on CentOS5 and FC8 but it's
simple so it should be working ok. I'm not sure about some older
RHELs with some ancient SELinux.. Does RHEL4 support loadable
policy? I'll probably have to check that.
I personaly like 3rd option the most. Any comments?
Definitely the 3rd option.
Any objections to installing the policy in the RPM?
_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list
_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list